Malicious RTF — malware analysis report

Static analysis result for SHA-256 6814d4df330148c7…

MALICIOUS

RTF

1.21 MB Created: 2017-07-12 17:10:00 First seen: 2019-05-31
MD5: 793511c86a0469d579ff8cc99a7311e3 SHA-1: b33699933812cf8307173a729cb24e4237449e60 SHA-256: 6814d4df330148c790d8a2a8bc89d20f76d879efa0e5396ced581d10e38d5dd2
200 Risk Score

Malware Insights

MITRE ATT&CK
T1203 Exploitation for Client Execution T1566.001 Spearphishing Attachment

The RTF document contains embedded OLE objects, specifically a package object, which is a strong indicator of malicious intent. The critical heuristic firing for CVE-2017-8759 confirms exploitation of this vulnerability, likely leading to the execution of a secondary payload. The ClamAV detection further supports the malicious classification.

Heuristics 5

  • CVE-2017-8759 — MSXML SAX OLE activation critical CVE likely CVE_2017_8759
    RTF contains a hex-encoded OLE1 object for Msxml2.SAXXMLReader.6.0 followed by an embedded OLE compound document, and the document requests OLE activation. This matches the RTF staging shape used for CVE-2017-8759 SOAP/WSDL parser code injection.
  • ClamAV: Win.Phishing.Suspicious-6355521-4 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Win.Phishing.Suspicious-6355521-4
  • Package object class high RTF_OBJCLASS_PACKAGE
    OLE Package object — can wrap arbitrary files
  • OLE object data medium RTF_OBJDATA
    RTF contains 2 \objdata section(s) — embedded OLE objects
  • Embedded OLE object medium RTF_OBJEMB
    RTF contains \objemb — embedded OLE object

Extracted artifacts 1

Files carved from inside the sample during analysis.

FilenameKindSourceSize
objdata_00_off00015b24.bin rtf-objdata-decoded RTF \objdata at offset 0x15B24 12456 bytes
SHA-256: 52a3f238b0aead17731ba23d92d92d695f1e46ca995418ab283824471baeab6d

Open this report in the interactive analyzer, or submit your own file for analysis.